The IndonesianFoods Worm Has Created Over 100,000 Malicious Packages in npm

A self-propagating worm called IndonesianFoods has infected npm, spawning new packages every seven seconds. According to Sonatype security researchers, the malware has already created over 100,000 packages, and the number continues to grow.

The Worm's Naming Scheme

The worm's name references its package naming pattern, which uses random names associated with Indonesian dishes. While the packages currently contain no malicious functionality—no data theft or hidden backdoors—the situation could change with a single update that adds a payload.

Researchers warn that the automation level and scale of this attack create the potential for a massive software supply chain compromise.

Discovery and Tracking

Security researcher Paul McCarty first noticed the malicious campaign and created a dedicated page to track npm users associated with the worm and the number of packages they've published.

Sonatype analysts report that the same attackers attempted an earlier attack on September 10, 2025, using the package fajar-donat9-breki. Although it contained the same self-replication logic, it failed to spread.

Attack Objectives

Researchers believe IndonesianFoods isn't designed to compromise developers' machines directly. Instead, the worm appears designed to overwhelm the ecosystem and disrupt the world's largest software supply chain.

"This attack has overloaded numerous security systems, demonstrating an unprecedented scale," Sonatype stated. "Amazon Inspector flags such packages via OSV advisory, triggering a massive wave of vulnerability reports. Sonatype's database alone recorded 72,000 new advisories in a single day."

Token Farming Scheme

According to Endor Labs, some IndonesianFoods packages contain tea.yaml files with account and cryptocurrency wallet addresses. The attackers are abusing the TEA Protocol—a blockchain platform that pays tokens to open-source developers.

The scheme is straightforward: the more packages published and the higher their "impact score," the more tokens earned. Researchers believe the attackers created thousands of interconnected packages to farm tokens.

How the Worm Works

The worm itself exists as a single JavaScript file (auto.js or publishScript.js) inside each package. However, it doesn't activate automatically—it has no installation triggers or postinstall hooks. Someone must manually run it with node auto.js.

It remains unclear who manually executed this file, but the tens of thousands of infected packages suggest either multiple victims who opened the file for unknown reasons, or the attackers ran it themselves.

Endor Labs found no evidence of large-scale social engineering accompanying this campaign. However, the malware's code appears designed for scenarios where users are convinced—perhaps through fake tutorials—to run node auto.js to complete a setup.

The Attack Process

Once activated, the script runs in an infinite loop:

1. Removes "private": true from package.json
2. Generates a random name from a dictionary
3. Creates a random version number (to bypass npm's duplicate detection)
4. Publishes a new package via npm publish
5. Repeats continuously—spawning a new package every 7-10 seconds

"The repository is being clogged with junk, infrastructure resources are being wasted, search results are being polluted, and if someone accidentally installs such a package—hello, supply chain risks," McCarty wrote.

A Two-Year Campaign

According to Endor Labs, this spam campaign began two years ago with a calculated progression:

• 2023: Attackers added 43,000 packages to npm
• 2024: They incorporated monetization via TEA Protocol
• 2025: They added self-replication, transforming IndonesianFoods into a worm

Part of a Larger Pattern

IndonesianFoods isn't the first worm to target package repositories recently. The GlassWorm worm was discovered in OpenVSX and the Visual Studio Code Marketplace, while the Shai-Hulud worm compromised hundreds of npm packages.

Sonatype analysts warn that these simple yet effective malicious campaigns create perfect conditions for threat actors to stealthily introduce more serious malware into open-source ecosystems.